The 2007 Yellow Book: What a Beginner Needs to Understand A Governmental Audit Quality Center Web...
-
Upload
marcus-arnold -
Category
Documents
-
view
213 -
download
0
Transcript of The 2007 Yellow Book: What a Beginner Needs to Understand A Governmental Audit Quality Center Web...
1
The 2007 Yellow Book: What a Beginner Needs to UnderstandA Governmental Audit Quality Center Web EventFebruary 9, 2011
Governmental Audit Quality Center
Administrative Notes
If you encounter any technical difficulties (e.g., audio issues) during this event please take the following steps:• Press the F5 key on your computer to refresh• Close and re-start your browser• Check your speakers, ensure they are not on mute• Turn off your pop-up blocker• Re-start you computer• Call InterCall/Genesys Tech support 866.861.4872, Conf ID# 151828• If none of the above work, submit a request for help on the “Ask a
Question Box” located on the left hand side of your screen.
If are unable to get assistance from InterCall/Genesys for some reason, e-mail [email protected] or call 202-434-9207
2
Governmental Audit Quality Center
Administrative Notes
We encourage you to submit your technical questions – please limit your questions to the content of today’s program
To submit a question, type it into the “Ask a Question” box on left side of your screen; we will answer as many as possible
You can also submit questions to the GAQC member forum for consideration by other members
This event is being recorded and will be posted in an archive format to the GAQC Web site
3
Governmental Audit Quality Center
Continuing Professional Education
Must have registered for CPE credit prior to this event; a link to the CPE Credit Approval Form was e-mailed to youListen for announcement of 4 CPE codes (7 digit codes: ALL_ _ _ _ ) and 4 polling questions during the eventRecord CPE Codes on CPE Credit Approval Form and return completed form (by fax or mail) to AICPA Service Center for record of attendance; keep a copy for your records
If you are not receiving CPE for this call, ignore the CPE codes that we announce, but please answer the polling questions
4
Governmental Audit Quality Center
Presenters
Flo Ostrum, CPA Grant Thornton LLP
Brian Schebler, CPA McGladrey & Pullen, LLP
Moderating:
Mary Foelster, CPA AICPA - GAQC
5
Governmental Audit Quality Center
Background
Why are we hosting this event?
Proliferation of federal agencies beginning to require that for-profits undergo financial audits under Government Auditing Standards and compliance audits
Several federal agencies involved and differing types of for-profit entities
Many of the requirements are effective now for the first time
6
Governmental Audit Quality Center 7
Examples of New Federal Requirements
Housing and Urban Development (HUD) - Supervised Mortgagees (Depository Institutions)• Financial statement audit under Government Auditing Standards
and compliance audit using the Consolidated Audit Guide for Audits of HUD Programs (HUD Guide)
• Effective now!• See GAQC Alert #159 (available at www.aicpa.org/GAQC)
Commerce and Agriculture – Telecommunications Companies and Broadband Providers• Awards relate to expansion of broadband technology• Program-specific audit of federal awards and related
compliance audit using program-specific guidance (currently under development)
Governmental Audit Quality Center 8
Examples of New Federal Requirements
Energy – Electric Utilities, Automotive Companies, Manufacturing Companies• Financial audit of schedule of Energy awards and related
compliance audit using Energy program-specific guidance• Effective now – Energy guidance to be issued any day• FAQ document at:
http://management.energy.gov/documents/ForProfit_AuditFAQ121610.pdf
Governmental Audit Quality Center 9
What Will We Cover?
Basic overview of the requirements of the 2007 Yellow Book
Key differences between the Yellow Book and GAAS
Access to references, guidance and tools
Expected revision of the Yellow Book later in 2011
Governmental Audit Quality Center 10
What Changes will a Yellow Book Engagement Require?
CPE requirements for the entire engagement team
Reporting on internal control over financial reporting and compliance
Additional independence considerations around nonaudit services
Provision of peer review report to contracting parties
Governmental Audit Quality Center 11
Basic Overview of the 2007 Yellow Book
Proper name: Government Auditing Standards, July 2007 Revision;
Commonly referred to as the Yellow Book or Generally Accepted Government Auditing Standards (GAGAS)
Issued by the Comptroller General of the United States of the U.S. Government Accountability Office (GAO)
Revised periodically
Governmental Audit Quality Center 12
Content of the Yellow Book
Chapter 1: Use and Application of GAGAS
Chapter 2: Ethical Principles in Government Auditing
Chapter 3: General Standards
Chapter 4: Field Work Standards for Financial Audits
Chapter 5: Reporting Standards for Financial AuditsChapter 6: General, Field Work, and Reporting Standards for Attestation Engagements
Chapter 7: Field Work Standards for Performance Audits
Chapter 8: Reporting Standards for Performance Audits
Appendix I: Supplemental Guidance
Appendix II: Comptroller General's Advisory Council on Government Auditing Standards
Index
*Bolded items will be covered in today’s presentation
Governmental Audit Quality Center 13
Types of Audits and Attestation Engagements Covered by the Yellow Book
Financial • Financial statement audits• Other (e.g., special reports, auditing compliance, etc.) • Covered by first 5 chapters of Yellow Book
Attestation (will not be covering in today’s session)• Examination, Review, and AUP• Some federal agencies require attestation engagements for for-
profits (e.g., Department of Education audit guides)
Performance (will not be covering in today’s session)• Program evaluations/program effectiveness and results audits• Economy and efficiency audits• Operational audits
Governmental Audit Quality Center 14
When Does the Yellow Book Apply?
When required (for example, by law, regulation, or contract)
Usually participation in federal programs (such as grants or loan programs) over a certain dollar threshold triggers a Yellow Book (and related compliance audit) requirement
Client may decide to voluntarily apply the Yellow Book in which case they would engage the auditor to perform the audit using those standards
Governmental Audit Quality Center 15
Relationship of Yellow Book with Other Standards
AICPA field work and reporting standards are incorporated by reference for financial audits and then Yellow Book requires additional standards
Public Company Accounting Oversight Board (PCAOB) and International Auditing and Assurance Standards Board (IAASB) standards can be used in conjunction with GAGAS for financial statement audits
GAO guidance document provides guidance on using the Yellow Book with PCAOB standards (http://www.gao.gov/govaud/gagaspcaob2007.pdf)
Governmental Audit Quality Center 16
Two Categories of Professional Requirements in the Yellow Book
Use of “must” or “is required” refer to unconditional requirements for which auditors are required to comply with
Use of “should” equates to a presumptively mandatory requirement• Departure from these requirements rare• Need to provide documentation supporting justification for the
departure and how an alternative procedure achieved the objective
Tool available on GAO Web site which identifies all unconditional and presumptively mandatory requirements (http://www.gao.gov/new.items/d08210g.pdf)
Governmental Audit Quality Center 17
Ethical Principles
The ethical principles guiding the work of auditors under GAGAS are:• The public interest• Integrity• Objectivity• Proper use of government information, resources,
and position• Professional behavior
Governmental Audit Quality Center 18
General Standards
The Yellow Book does not adopt the AICPA general standards; instead, it establishes its own
The four general standards are:• Independence• Professional judgment• Competence• Quality Control and Assurance
Governmental Audit Quality Center 19
Yellow Book Independence Versus AICPA
GAAS audit = AICPA’s Code of Professional Conduct Rule 101, Independence
GAGAS audit = Yellow Book independence requirements
Some Yellow Book independence rules very similar to AICPA rules
Other Yellow Book independence rules are more stringent
AICPA has made available a comparison between the two sets of standards at: http://www.aicpa.org/InterestAreas/ProfessionalEthics/Resources/Tools/DownloadableDocuments/2004_02AICPA-GAO_rules_comparison.pdf
Governmental Audit Quality Center 20
Yellow Book Independence
GAGAS states that the audit organization and the individual auditor must: • Be free from personal, external, and organizational impairments
to independence• Avoid the appearance of such impairments of independence.
Comprehensive independence Q&A issued by GAO and available at: http://www.gao.gov/govaud/d02870g.pdf (currently effective)
The Yellow Book defines certain steps an audit organization should take if an impairment to independence is identified after the audit report is issued.
Governmental Audit Quality Center 21
Yellow Book Independence
Chapter 3 of the Yellow Book addresses when auditors their organizations are independent from the following impairments:• Personal • External• Organizational
If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work
Yellow Book adopts an engagement-team-focused approach similar to AICPA Code for matters such as financial interests of an individual auditor
Governmental Audit Quality Center 22
Yellow Book Independence and Specialists
Assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit
If the specialist's independence is impaired, auditors should not use the work of that specialist
Governmental Audit Quality Center 23
Nonaudit Services
Need to consider the effects of any nonaudit services performed on independence for current, future, and planned audit services.
Two Overarching Principles apply to the auditor assessing the impact of performing a nonaudit service:• Should not provide nonaudit services that involve performing
management functions or making management decisions; and • Should not audit own work or provide nonaudit services in
situations where the nonaudit services are material to the subject matter of audit
Governmental Audit Quality Center 24
Nonaudit Services
Nonaudit services generally fall into one of the following categories:• Nonaudit services that do not impair the audit
organization's independence• Nonaudit services that would not impair the audit
organization's independence with respect to the entities it audits as long as the audit organization complies with identified supplemental safeguards
• Nonaudit services that do impair the audit organization's independence
Governmental Audit Quality Center 25
Nonaudit Services
Supplemental Safeguards • Document consideration of nonaudit services, including
impact on independence• Establish in writing an understanding with audited entity
about the nonaudit service and management responsibilities
• Exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit services
• Do not reduce the scope and extent of audit work below what would have been done if nonaudit service done by an unrelated party
Governmental Audit Quality Center 26
Nonaudit Services
Examples of nonaudit services provided in connection with a financial statement audit
Assistance with:• Drafting of financial statements and footnotes• Maintenance of fixed asset records• Implementation of an accounting standard• Preparation of tax return(s)
Governmental Audit Quality Center 27
Common Yellow Book Independence Deficiencies
Failure to identify and address potential or the appearance of impairments such as:• Nonaudit services provided• Making management decisions• Failure to consider the GAO standards and related
Q&A • Failure to comply or document compliance with
supplemental safeguards
Key to compliance with Yellow Book independence is document, document, document!
Governmental Audit Quality Center 28
Professional Judgment
Requires that auditors must use professional judgment in planning and performing audits and in reporting the results
Includes exercising reasonable care and professional skepticism
Similar to AICPA standard on due professional care
However, GAGAS expands the discussion of professional judgment as it relates to its importance in audit engagements (chapter 3 of the Yellow Book provides further guidance and description)
Governmental Audit Quality Center 29
Competence
Competence is derived from a blending of education and experience
The staff assigned must collectively possess adequate professional competence for the tasks required and include:• knowledge of GAGAS applicable to the type of work being performed• general knowledge of the environment in which the audited entity
operates• skills to communicate clearly and effectively, both orally and in writing• skills appropriate for the work being performed
If using GAGAS with other standards, auditors need to be knowledgeable and competent in applying those standards.
Governmental Audit Quality Center 30
CPE Requirement
Should complete every 2 years, at least 24 hours of Continuing Professional Education (CPE) that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates
Governmental Audit Quality Center 31
CPE Requirement
An additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) is needed that enhances the auditor's professional proficiency to perform audits or attestation engagements
Applicable to: • Auditors involved in any amount of planning, directing, or
reporting on GAGAS assignments; AND• Auditors who are not involved in those activities but charge 20
percent or more of their time annually to GAGAS assignments
Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year periods
Governmental Audit Quality Center 32
CPE Requirement
For Specialists:• Internal specialists who are part of the audit
organization and perform as a member of the audit team must comply with GAGAS, including the CPE requirements
• External specialists are not required to meet the CPE requirements but have to be qualified and maintain professional competence
• Auditors using the work of external specialists should assess the professional qualifications and document their findings and conclusions
Governmental Audit Quality Center 33
CPE Requirements
GAO has issued a guidance document on the GAGAS CPE requirements that can be found at: http://www.gao.gov/govaud/ybcpe2005.pdf
Matters Covered:• Who is subject to the requirements?• How should compliance with CPE requirements be measured?• What qualifies as acceptable CPE?• Measuring CPE hours• How are CPE requirements to be administered?
Governmental Audit Quality Center 34
Quality Control and Assurance
Paragraph 3.50 – 3.54 of Yellow Book discuss QC Requirements
Each organization performing GAGAS audits must:• Establish a system of quality control that is designed
to provide reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements; and
• Have an external peer review at least once every 3 years
Governmental Audit Quality Center 35
Quality Control and Assurance
Keep in mind that you will also have to apply the AICPA Statements on Quality Control Standards (SQCS)
Yellow Book requirements for system of quality control are generally consistent with the SQCS
SQCS can be found at:
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SQCS.aspx
Governmental Audit Quality Center 36
Quality Control and Assurance
Additional GAGAS RequirementsAudit organizations must make their most recent peer review report publicly available
Those audit organizations seeking to enter into a contract to perform a GAGAS audit or attestation engagement should provide the following to the party contracting for such services: • The audit organization’s most recent peer review report and any letter
of comment• Any subsequent peer review reports and letters of comment received
during the period of the contract
Auditors who are using another audit organization’s work should request:• The audit organization’s latest peer review report• Any letter of comment
Governmental Audit Quality Center 37
Quality Control and Assurance
Documentation
Must document & communicate
Policies must address:• Leadership Responsibilities• Independence, Legal & Ethical Requirements• Initiation, Acceptance and Continuance of
Engagements• Human Resources• Engagement performance, documentation and
reporting• Monitoring
Governmental Audit Quality Center 38
Quality Control and Assurance
Monitoring
Monitoring is another difference between AICPA and GAGAS
GAGAS requirements state that reviews of the work and the report that are normally part of supervision are not monitoring controls when used alone
Purpose:• Ensure adherence to requirements• Ensure QC is appropriately designed• Ensure QC policies & procedures are operating effectively
Governmental Audit Quality Center 39
Quality Control and Assurance
Monitoring
Engagement Supervision Alone is not Monitoring
Audit organizations to analyze and summarize the results of monitoring procedures at least annually• Include identification of any systemic issues needing
improvement• Include recommendations for corrective action
Should be performed by individuals that collectively have sufficient expertise and authority
Governmental Audit Quality Center 40
Documentation
AICPA and GAGAS requirements for documentation very similar
Experienced auditor concept should be met
GAGAS provides additional considerations relating to:• Auditors should document evidence of supervisory review prior
to report issuance• Departures from GAGAS requirements due to law, regulation,
scope limitations, or other issues impacting audit should be documented along with the impact on audit
• Policies and procedures should be established for safe custody and retention
• Auditors should make appropriate individuals and audit documentation available upon request
Governmental Audit Quality Center 41
GAGAS Field Work – Internal Control Over Financial Reporting
Generally, GAGAS identical to that of AICPA requirements
Additional GAGAS requirements• Communicate information (during planning) about the nature of
the planned work and level of assurance to be provided on internal control
• Any potential restrictions on the scope of the audit should be communicated
• Evaluate whether the entity has taken appropriate corrective action to address findings and recommendations from previous engagements
Governmental Audit Quality Center 42
GAGAS Field Work – Compliance
GAGAS and AICPA requirements very similar for consideration of compliance with laws, regulations, as well as fraud and errors
Additional GAGAS requirements• Communicate information (during planning) about the nature of
the planned work and level of assurance to be provided on compliance
• Design audit to detect material misstatements due to noncompliance with provisions of contracts or grants
• If evidence that possible illegal acts exist that could have a material indirect effect on the financial statements, apply procedures to ascertain whether illegal act occurred
• Evaluate whether appropriate corrective action to address findings and recommendations from previous engagements
Governmental Audit Quality Center 43
GAGAS Field Work – Abuse
Additional requirement of GAGAS
Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary
May be the result of internal control deficiency
Examples provided in GAGAS:• Unneeded overtime• Staff performing personal errands• Misusing position for personal gain• Extravagant or expensive travel choices• Procurement or vendor selections that are contrary to policies
Governmental Audit Quality Center 44
GAGAS Field Work – Abuse
Not required to design audit to detect
We are not providing reasonable assurance of detecting abuse
Must follow-up when auditor becomes aware of abuse that could be material to the financial statements• Quantitative considerations• Qualitative considerations
Governmental Audit Quality Center 45
GAGAS – Management Representations
Additional representations from management:• Responsibility for compliance and internal control over financial
reporting• Identification of all direct and material laws, regulations, and
provisions of contracts and grants • Has process for tracking status of audit findings and
recommendations• Has identified previous audits and other studies related to audit
objective and whether recommendations implemented• Has provided views on auditor’s reported findings, conclusions,
and recommendations as well as corrective actions
Governmental Audit Quality Center 46
GAGAS Reporting Requirements
In addition to providing opinion on financial statements the auditor must:• Report on internal control over financial reporting• Report on compliance with laws, regulations, and
provisions of contracts or grant agreements• Report on certain fraud and abuse
Governmental Audit Quality Center 47
GAGAS Reporting Requirements
Additional Yellow Book requirements:• Auditors’ compliance with GAGAS • Internal control and compliance with laws,
regulations, and provisions of contracts or grant agreements
• Deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts grant agreements, and abuse
• Communicating additional significant matters in the auditors’ report (always have the option)
Governmental Audit Quality Center 48
GAGAS Reporting Requirements
Additional Yellow Book requirements:• Restatement of previously-issued financial
statements (goes beyond what AICPA requires)• Views of responsible officials (should be included in
findings write-ups)• Confidential or sensitive information (if prohibited
from public disclosure auditor should disclose in report that omitted and reason)
• Distributing reports (should clarify report distribution responsibilities with auditee)
Governmental Audit Quality Center 49
GAGAS Reporting Requirements
When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors’ report that they performed the audit in accordance with GAGAS
GAGAS do not prohibit auditors from issuing a separate report conforming only to AICPA or other standards
Governmental Audit Quality Center 50
GAGAS Reporting – The Yellow Book Report
Proper report title:
Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial
Statements Performed in Accordance With Government Auditing Standards
Include description of scope of the auditor’s testing of internal control over financial reporting and compliance
State whether tests performed provided sufficient, appropriate evidence
When reporting separate from the financial statement opinion (which is common practice) must add linkage paragraph to the financial statement opinion• That issued GAGAS report • That GAGAS report is integral to the audit
Governmental Audit Quality Center 51
GAGAS Reporting – The Yellow Book Report
Include significant deficiencies and material weaknesses• Schedule of Findings and Responses• Schedule of Findings and Questioned Costs
Include all instances of fraud and illegal acts unless inconsequential
Include violations of provisions of contracts or grants and abuse that could have a material effect on the financial statements
Direct the reader to a management letter, when issued, if it addresses control deficiencies and/or noncompliance, fraud, or abuse that is other than inconsequential.
Governmental Audit Quality Center 52
GAGAS Reporting – The Management Letter
Auditors should communicate in writing:• Violations of provisions of contracts or grant agreements or
abuse that have an effect that is less than material but more than inconsequential
Determining whether and how to communicate the following is a matter of professional judgment:• Illegal acts, violations of provisions of contracts or grant
agreements or abuse that is inconsequential • Internal control deficiencies that have an inconsequential effect
on the financial statements
Governmental Audit Quality Center 53
Other Reporting Matters
Restricted Use Reports versus general use reports
Transition from GAAS only to Yellow Book (i.e., comparative financial statements)
Governmental Audit Quality Center 54
Development of Findings
Findings include control deficiencies, fraud, illegal acts, violations of provisions of contracts or agreements, and abuse
Elements of a finding:• Criteria• Condition• Cause• Effect or potential effect (prevalence)• Recommendation(s) for improvement • Management’s corrective action plan(s)
Governmental Audit Quality Center 55
Development of Findings
When reporting view of responsible officials, auditors should:• Obtain and report views of responsible officials
concerning findings, conclusions, recommendations, and planned corrective actions,
• Include in report an evaluation of the comments, as appropriate
If the audited entity does not provide comments, auditors may issue the report and indicate that the audited entity did not provide comments
Governmental Audit Quality Center 56
References, Guidance and Tools
GAO Web Site for Yellow Book: http://www.gao.gov/yellowbook
Government Auditing Standards, July 2007 Revision (GAO-07-731G) http://www.gao.gov/new.items/d07731g.pdf
Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) http://www.gao.gov/govaud/ybcpe2005.pdf
Government Auditing Standards: Answers to Independence Standard Questions (GAO-02-870G, July 2002) http://www.gao.gov/govaud/d02870g.pdf
Governmental Audit Quality Center 57
References, Guidance and Tools
Guidance on Complying with Government Auditing Standards Reporting Requirements for the Report on Internal Control for Audits of Certain Entities Subject to the Requirements of the Sarbanes-Oxley Act of 2002 and Government Auditing Standards (December 2007) http://www.gao.gov/govaud/gagaspcaob2007.pdf
AICPA has made available a comparison between AICPA and GAGAS independence standards at: http://www.aicpa.org/InterestAreas/ProfessionalEthics/Resources/Tools/DownloadableDocuments/2004_02AICPA-GAO_rules_comparison.pdf
Governmental Audit Quality Center 58
References, Guidance and Tools
Tool available on GAO Web site which identifies all unconditional and presumptively mandatory requirements (http://www.gao.gov/new.items/d08210g.pdf)
For technical or practice questions directly related to Government Auditing Standards, our e-mail address is: [email protected]
Governmental Audit Quality Center 59
References, Guidance and Tools
GAQC Web site: http://aicpa.org/GAQC
AICPA Government Auditing Standards and Circular A-133 Audits and related Risk Alert available at http://www.cpa2biz.com/ • Chapters 1-4 relevant to GAGAS• Report illustrations
Governmental Audit Quality Center 60
Future Revision of the Yellow Book
Final issuance of 2011 revision of Yellow Book expected later this year
Government Auditing Standards, 2010 Exposure Draft (GAO-10-853G, August 2010) and available at: http://www.gao.gov/new.items/d10853g.pdf
Primary area of change is independence requirements (to align the Yellow Book more closely with AICPA rules
Effective date
GAQC Archived Web event, What You Need to Know About the 2010 Yellow Book Exposure Draft, provides you with summary of major changes proposed http://www.aicpa.org/InterestAreas/GovernmentalAuditQuality/Resources/Pages/WhatYouNeedtoKnowAboutthe2010YBED–MemberWebEvent.aspx